>> First find the hptda's for each of the slots of interest since we are >> looking at private arena storage # .p8 Slot Pid Ppid Csid Ord Sta Pri pTSD pPTDA pTCB Disp SG Name 0008 0008 0001 0008 0007 blk 0200 abd2f000 abe497f0 abe28bf0 01 PMSHL32 # .mom %abe497f0 hob va flgs own hmte sown,cnt lt st xf 027a %abe497f0 8000 ffcb ff79 0000 00 00 00 00 ptda 0008 c:pmshell.exe # .p 9 Slot Pid Ppid Csid Ord Sta Pri pTSD pPTDA pTCB Disp SG Name 0009 0004 0001 0003 0001 blk 081f abd30000 abe48614 abe28de8 00 GAMBIT # .mom %abe48614 hob va flgs own hmte sown,cnt lt st xf 02ac %abe48614 8000 ffcb 02a8 0000 00 00 00 00 ptda 0004 c:gambit.exe >> Next list all the owners of 17:0 # .m #17:0 *har par cpg va flg next prev link hash hob hal 026d %feef2568 00000010 %00020000 1d9 029a 026c 0000 0000 029d 0000 hptda=02ad hob har hobnxt flgs own hmte sown,cnt lt st xf 029d 026d 0000 0838 029e 029e 0000 00 00 00 00 shared c:lanmsgex.exe *har par cpg va flg next prev link hash hob hal 0277 %feef2644 00000010 %00020000 1d9 0276 0272 0000 0000 02b0 0000 hptda=02ac hob har hobnxt flgs own hmte sown,cnt lt st xf 02b0 0277 0000 0838 02b1 02b1 0000 00 00 00 00 shared c:gambit.exe *har par cpg va flg next prev link hash hob hal 02a0 %feef29ca 00000010 %00020000 179 02a4 029f 0000 0000 02e8 0000 hptda=02e1 hob har hobnxt flgs own hmte sown,cnt lt st xf 02e8 02a0 0000 002c 02e1 02e7 0000 00 00 00 00 priv 0007 c:landll.exe *har par cpg va flg next prev link hash hob hal 02aa %feef2aa6 00000010 %00020000 179 02ab 02a9 0000 0000 02f8 0000 hptda=027a hob har hobnxt flgs own hmte sown,cnt lt st xf 02f8 02aa 0000 002c 027a 02f7 0000 00 00 00 00 priv 0008 c:pmshell.exe *har par cpg va flg next prev link hash hob hal 02fc %feef31b2 00000010 %00020000 1d9 02fd 02fb 0000 0000 0360 0000 hptda=0359 hob har hobnxt flgs own hmte sown,cnt lt st xf 0360 02fc 0000 0838 035f 035f 0000 00 00 00 00 shared c:harderr.exe *har par cpg va flg next prev link hash hob hal 0360 %feef3a4a 00000010 %00020000 1d9 0361 035f 0000 0000 03d0 0000 hptda=03c9 hob har hobnxt flgs own hmte sown,cnt lt st xf 03d0 0360 0000 0838 03cf 03cf 0000 00 00 00 00 shared c:ddaemon.exe *har par cpg va flg next prev link hash hob hal 036b %feef3b3c 00000010 %00020000 1d9 036c 036a 0000 0000 03e0 0000 hptda=03d9 hob har hobnxt flgs own hmte sown,cnt lt st xf 03e0 036b 0000 0838 03df 03df 0000 00 00 00 00 shared c:spdaemon.exe *har par cpg va flg next prev link hash hob hal 0378 %feef3c5a 00000010 %00020000 1d9 0379 0377 0000 0000 03f3 0000 hptda=03ec hob har hobnxt flgs own hmte sown,cnt lt st xf 03f3 0378 0000 0838 03f2 03f2 0000 00 00 00 00 shared *har par cpg va flg next prev link hash hob hal 040e %feef493e 00000010 %00020000 179 045c 040f 0000 0000 04c6 0000 hptda=04b2 hob har hobnxt flgs own hmte sown,cnt lt st xf 04c6 040e 0000 002c 04b2 0522 0000 00 00 00 00 priv 0043 c:pmspool.exe *har par cpg va flg next prev link hash hob hal 0427 %feef4b64 00000010 %00020000 179 0428 0426 0000 0000 04cf 0000 hptda=04ca hob har hobnxt flgs own hmte sown,cnt lt st xf 04cf 0427 0000 002c 04ca 02f7 0000 00 00 00 00 priv 000f c:pmshell.exe *har par cpg va flg next prev link hash hob hal 04e8 %feef5bfa 00000010 %00020000 179 04e6 04e5 0000 0000 05d4 0000 hptda=05c3 hob har hobnxt flgs own hmte sown,cnt lt st xf 05d4 04e8 0000 002c 05c3 05cf 0000 00 00 00 00 priv 0016 c:pawn.exe *har par cpg va flg next prev link hash hob hal 0502 %feef5e36 00000010 %00020000 1d9 059f 0598 0000 0000 0507 0000 hptda=06d1 hob har hobnxt flgs own hmte sown,cnt lt st xf 0507 0502 0000 0838 05b3 05b3 0000 00 00 00 00 shared *har par cpg va flg next prev link hash hob hal 0507 %feef5ea4 00000010 %00100000 1e1 056c 05cb 05d4 0000 0678 0018 hptda=04af hal=0018 pal=%fddae0d8 har=0507 hptda=04af pgoff=00000 f=081 har par cpg va flg next prev link hash hob hal 05d4 %feef7042 00000040 %00000000 1e1 05bf 0461 0000 0000 0678 0000 hptda=04af hob har hobnxt flgs own hmte sown,cnt lt st xf 0678 0507 0000 103c 04af 0000 0000 00 00 00 00 priv 005b *vdm >> Slot 8: # .mo 2b1 hob va flgs own hmte sown,cnt lt st xf 02b1 %feeeef38 8000 ffa6 02a7 0000 00 00 00 00 mte c:gambit.exe # .lmo 2b1 hmte=02b1 pmte=%feeeef38 mflags=00003140 c:\dcaf13\gambit.exe seg sect psiz vsiz hob sel flags 0001 0002 1fe0 1fe0 02b2 000f 2d20 code shr rel 0002 0013 002a 002c 02b0 0017 2d20 code shr rel 0003 0014 19ae 19ae 0000 001f 0d01 data rel 0004 0022 0002 0002 02a9 0027 2c20 code shr 0005 0000 0000 3400 0000 002f 0c01 data # >> Slot 9 # .mo 2f7 hob va flgs own hmte sown,cnt lt st xf 02f7 %fdf40a18 8000 ffa6 0000 0000 00 00 00 00 mte c:pmshell.exe #
This is private arena data of some sort, whose address range is present in 13 processes.
The hptda for pid 4 (slot 9 is 2ac)
The second major entry from .m output (har=277, hptda=2ac) is for gambit.exe in pid 4.
The owner and hmte are the same (2b1). This indicates a code segment within the module gambit.exe.
.LMO 2b1 show this to be in segement 2 of gambit.exe
The storage in pid 8 (slot 8) is shown in the 4th entry, har=2aa.
Here own=27a and hmte=2f7.
The owner is shown to the right of the VMOB as being pid 8. We can check this by displaying hob 27a. This turns out to be a ptda for pid 8, as we saw when we used .mom against the PTDA address.
.lmo 2f7 shows this to be the MTE for pmshell.exe. We concluded that pmshell has allocated private memory in pid 8 at this address.